forked from torvalds/linux
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
UBSAN: run-time undefined behavior sanity checker
UBSAN uses compile-time instrumentation to catch undefined behavior (UB). Compiler inserts code that perform certain kinds of checks before operations that could cause UB. If check fails (i.e. UB detected) __ubsan_handle_* function called to print error message. So the most of the work is done by compiler. This patch just implements ubsan handlers printing errors. GCC has this capability since 4.9.x [1] (see -fsanitize=undefined option and its suboptions). However GCC 5.x has more checkers implemented [2]. Article [3] has a bit more details about UBSAN in the GCC. [1] - https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Debugging-Options.html [2] - https://gcc.gnu.org/onlinedocs/gcc/Debugging-Options.html [3] - http://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/ Issues which UBSAN has found thus far are: Found bugs: * out-of-bounds access - 97840cb ("netfilter: nfnetlink: fix insufficient validation in nfnetlink_bind") undefined shifts: * d48458d ("jbd2: use a better hash function for the revoke table") * 1063200 ("clockevents: Prevent shift out of bounds") * 'x << -1' shift in ext4 - http://lkml.kernel.org/r/<[email protected]> * undefined rol32(0) - http://lkml.kernel.org/r/<[email protected]> * undefined dirty_ratelimit calculation - http://lkml.kernel.org/r/<[email protected]> * undefined roundown_pow_of_two(0) - http://lkml.kernel.org/r/<[email protected]> * [WONTFIX] undefined shift in __bpf_prog_run - http://lkml.kernel.org/r/<CACT4Y+ZxoR3UjLgcNdUm4fECLMx2VdtfrENMtRRCdgHB2n0bJA@mail.gmail.com> WONTFIX here because it should be fixed in bpf program, not in kernel. signed overflows: * 32a8df4 ("sched: Fix odd values in effective_load() calculations") * mul overflow in ntp - http://lkml.kernel.org/r/<[email protected]> * incorrect conversion into rtc_time in rtc_time64_to_tm() - http://lkml.kernel.org/r/<[email protected]> * unvalidated timespec in io_getevents() - http://lkml.kernel.org/r/<CACT4Y+bBxVYLQ6LtOKrKtnLthqLHcw-BMp3aqP3mjdAvr9FULQ@mail.gmail.com> * [NOTABUG] signed overflow in ktime_add_safe() - http://lkml.kernel.org/r/<CACT4Y+aJ4muRnWxsUe1CMnA6P8nooO33kwG-c8YZg=0Xc8rJqw@mail.gmail.com> [[email protected]: fix unused local warning] [[email protected]: fix __int128 build woes] Signed-off-by: Andrey Ryabinin <[email protected]> Cc: Peter Zijlstra <[email protected]> Cc: Sasha Levin <[email protected]> Cc: Randy Dunlap <[email protected]> Cc: Rasmus Villemoes <[email protected]> Cc: Jonathan Corbet <[email protected]> Cc: Michal Marek <[email protected]> Cc: Thomas Gleixner <[email protected]> Cc: Ingo Molnar <[email protected]> Cc: "H. Peter Anvin" <[email protected]> Cc: Yury Gribov <[email protected]> Cc: Dmitry Vyukov <[email protected]> Cc: Konstantin Khlebnikov <[email protected]> Cc: Kostya Serebryany <[email protected]> Cc: Johannes Berg <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
- Loading branch information
Showing
17 changed files
with
693 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| Undefined Behavior Sanitizer - UBSAN | ||
|
|
||
| Overview | ||
| -------- | ||
|
|
||
| UBSAN is a runtime undefined behaviour checker. | ||
|
|
||
| UBSAN uses compile-time instrumentation to catch undefined behavior (UB). | ||
| Compiler inserts code that perform certain kinds of checks before operations | ||
| that may cause UB. If check fails (i.e. UB detected) __ubsan_handle_* | ||
| function called to print error message. | ||
|
|
||
| GCC has that feature since 4.9.x [1] (see -fsanitize=undefined option and | ||
| its suboptions). GCC 5.x has more checkers implemented [2]. | ||
|
|
||
| Report example | ||
| --------------- | ||
|
|
||
| ================================================================================ | ||
| UBSAN: Undefined behaviour in ../include/linux/bitops.h:110:33 | ||
| shift exponent 32 is to large for 32-bit type 'unsigned int' | ||
| CPU: 0 PID: 0 Comm: swapper Not tainted 4.4.0-rc1+ #26 | ||
| 0000000000000000 ffffffff82403cc8 ffffffff815e6cd6 0000000000000001 | ||
| ffffffff82403cf8 ffffffff82403ce0 ffffffff8163a5ed 0000000000000020 | ||
| ffffffff82403d78 ffffffff8163ac2b ffffffff815f0001 0000000000000002 | ||
| Call Trace: | ||
| [<ffffffff815e6cd6>] dump_stack+0x45/0x5f | ||
| [<ffffffff8163a5ed>] ubsan_epilogue+0xd/0x40 | ||
| [<ffffffff8163ac2b>] __ubsan_handle_shift_out_of_bounds+0xeb/0x130 | ||
| [<ffffffff815f0001>] ? radix_tree_gang_lookup_slot+0x51/0x150 | ||
| [<ffffffff8173c586>] _mix_pool_bytes+0x1e6/0x480 | ||
| [<ffffffff83105653>] ? dmi_walk_early+0x48/0x5c | ||
| [<ffffffff8173c881>] add_device_randomness+0x61/0x130 | ||
| [<ffffffff83105b35>] ? dmi_save_one_device+0xaa/0xaa | ||
| [<ffffffff83105653>] dmi_walk_early+0x48/0x5c | ||
| [<ffffffff831066ae>] dmi_scan_machine+0x278/0x4b4 | ||
| [<ffffffff8111d58a>] ? vprintk_default+0x1a/0x20 | ||
| [<ffffffff830ad120>] ? early_idt_handler_array+0x120/0x120 | ||
| [<ffffffff830b2240>] setup_arch+0x405/0xc2c | ||
| [<ffffffff830ad120>] ? early_idt_handler_array+0x120/0x120 | ||
| [<ffffffff830ae053>] start_kernel+0x83/0x49a | ||
| [<ffffffff830ad120>] ? early_idt_handler_array+0x120/0x120 | ||
| [<ffffffff830ad386>] x86_64_start_reservations+0x2a/0x2c | ||
| [<ffffffff830ad4f3>] x86_64_start_kernel+0x16b/0x17a | ||
| ================================================================================ | ||
|
|
||
| Usage | ||
| ----- | ||
|
|
||
| To enable UBSAN configure kernel with: | ||
|
|
||
| CONFIG_UBSAN=y | ||
|
|
||
| and to check the entire kernel: | ||
|
|
||
| CONFIG_UBSAN_SANITIZE_ALL=y | ||
|
|
||
| To enable instrumentation for specific files or directories, add a line | ||
| similar to the following to the respective kernel Makefile: | ||
|
|
||
| For a single file (e.g. main.o): | ||
| UBSAN_SANITIZE_main.o := y | ||
|
|
||
| For all files in one directory: | ||
| UBSAN_SANITIZE := y | ||
|
|
||
| To exclude files from being instrumented even if | ||
| CONFIG_UBSAN_SANITIZE_ALL=y, use: | ||
|
|
||
| UBSAN_SANITIZE_main.o := n | ||
| and: | ||
| UBSAN_SANITIZE := n | ||
|
|
||
| Detection of unaligned accesses controlled through the separate option - | ||
| CONFIG_UBSAN_ALIGNMENT. It's off by default on architectures that support | ||
| unaligned accesses (CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y). One could | ||
| still enable it in config, just note that it will produce a lot of UBSAN | ||
| reports. | ||
|
|
||
| References | ||
| ---------- | ||
|
|
||
| [1] - https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Debugging-Options.html | ||
| [2] - https://gcc.gnu.org/onlinedocs/gcc/Debugging-Options.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| config ARCH_HAS_UBSAN_SANITIZE_ALL | ||
| bool | ||
|
|
||
| config UBSAN | ||
| bool "Undefined behaviour sanity checker" | ||
| help | ||
| This option enables undefined behaviour sanity checker | ||
| Compile-time instrumentation is used to detect various undefined | ||
| behaviours in runtime. Various types of checks may be enabled | ||
| via boot parameter ubsan_handle (see: Documentation/ubsan.txt). | ||
|
|
||
| config UBSAN_SANITIZE_ALL | ||
| bool "Enable instrumentation for the entire kernel" | ||
| depends on UBSAN | ||
| depends on ARCH_HAS_UBSAN_SANITIZE_ALL | ||
| default y | ||
| help | ||
| This option activates instrumentation for the entire kernel. | ||
| If you don't enable this option, you have to explicitly specify | ||
| UBSAN_SANITIZE := y for the files/directories you want to check for UB. | ||
|
|
||
| config UBSAN_ALIGNMENT | ||
| bool "Enable checking of pointers alignment" | ||
| depends on UBSAN | ||
| default y if !HAVE_EFFICIENT_UNALIGNED_ACCESS | ||
| help | ||
| This option enables detection of unaligned memory accesses. | ||
| Enabling this option on architectures that support unalligned | ||
| accesses may produce a lot of false positives. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.